KR20110029340A - Protection system against ddos - Google Patents

Abstract

PURPOSE: A protection system against DDoS(Distributed Denial of Service) attack is provided to access a service client through a simple authentication process by establishing an unregistered client as a gray zone. CONSTITUTION: A connection control server(200) extracts the list including a user's IP information, when a client having a specific user IP accesses the server. The connection control server decides the connection state of the client. The authentication server(300) receives a user IP which is not capable of being classified, and not included the first and the second list from the connection control server. The certification server requests the input of the authentication key capable of confirming a normal user. If the authentication key is normally inputted, the certification server permits a connection.

Description

Protection system against DDoS attacks {Protection system against DDoS}

The present invention relates to a defense system for distributed denial of service attacks (DDoS), and more specifically, after registering a client as a normal user group and an abnormal user group, only a client corresponding to the abnormal user group blocks access in advance, and each group The present invention relates to a defense system for distributed denial of service (DDoS) attacks that can cope with DDoS attacks by allowing a client that is not registered to a gray zone to be connected after being authenticated.

Distributed Denial of Service (DDoS) attacks are obvious attacks by attackers or attackers to use zombie to hinder or hinder legitimate use of host computers, routers, servers, networks, and the like. Such denial of service attacks can be initiated within the target network itself, but most are originated from external systems and networks connected to the target via the Internet.

Today's Internet-connected devices, systems, and networks face real threats from today's rapidly expanding DDoS attacks. These attacks not only damage the intended targets, but also threaten the stability of the Internet itself.

Early DoS attack techniques used simple tools to generate and send packets from a single source to a single destination. Often these attacks were configured manually, which limited the number and efficiency of the attacks and could be easily defended by, for example, source address packet filtering.

Recently, however, toolkits have been developed that automatically execute multi-source attacks against one or more targets, known as distributed DoS (DDoS) attacks. These toolkits can be easily downloaded from hacker websites and are so easy to use that even an inexperienced Internet user can set up a DDoS attack.

Multisource attacks against single targets are the most common form of DDoS attacks currently against Internet-connected devices, systems, and networks. This attack takes advantage of the large resource asymmetry between the Internet and the target in that a sufficient number of compromised hosts are gathered to send useless packets towards the target at about the same time. The amount of combined traffic is often sufficient to cause the target system or network to crash and / or flood its Internet connection, thus effectively removing the target from the Internet, at least for the duration of the attack. . This type of attack is often referred to as a packet flooding DDoS attack.

In single-source DoS attacks, it was possible to use packet filtering, for example, to track the source of an attack and discard packets that are being received from that source if the packet contains a real source address. It is more malicious in that the number of zombies sending useless packets can reach tens of thousands, even hundreds of thousands, and address spoofing is often used to mask the zombies' identifiers.

Even if the source of an obsolete packet can be identified, this may not help the target defend itself, because the received packet is a so-called reflector or indirect DDoS attack. It may be from a legitimate source that is prompted to send a packet towards the target, as in. Blocking packets from these sources also blocks packets from legitimate users.

Due to the distributed nature of the attack, packet filtering in the target and its vicinity usually misses the attack packet as well as the normal (legitimate) packet, because the packet filterer cannot distinguish them and at least on the target. This is because the service gets corrupted.

As a result, the detection of DDoS at the target is generally ineffective, since the detection is always too late so that the target system is already out of service and the attacker (Commander Center, CC) who does the actual attack order is secured. In addition, it is not easy to secure a CC that orders the actual attack by attacking through an attack agent system (hereinafter referred to as a zombie system) that rents a zombie for a period of time through a zombie sales site. Acquiring a CC and searching for attackers has not been easy in the past for effective defense against DDoS attacks.

Often, the ISP's Internet Service Provider (ISP) network drops all packets destined for the target network (Black Hole Routing) when a DDoS attack is detected, thus effectively shutting down the service on the target network, which in turn causes itself to attack the DDoS. The target network's efforts to defend against it go hand in hand.

All such systems attempt to determine whether the behavior is significantly deviating from normal behavior as a way to detect DDoS attacks by monitoring packets passing through points or points in the Internet and analyzing certain aspects of aggregated packet stream behavior.

The main problem is figuring out what constitutes normal behavior. The absolute measure of boiling of the expected number of packets or User Datagram Protocol (UDP) packet-to-Transmission Control Protocol (TCP) packets going to a given destination address is determined by the new website. It has a limited value because traffic patterns can change dramatically due to legitimate reasons, such as being popular or new applications being deployed.

Other techniques, such as logging the ratio of TCP SYN messages to ACK messages, can identify some DoS attacks, but attackers can use these unique parameters to quickly bypass detection tools.

Regardless of where and how DDoS attacks are detected, in addition to simply discarding all packets destined for the target, currently proposed methods for defending against DDoS attacks include at least the ingress packet filtering by the target and / or its ISP. performing filtering). This involves the ISP confirming that the source address of the packet is appropriate for its destination target system link.

Another way to defend against DDoS attacks is to augment the packet's routing information so that even remote ISPs can identify links that may be coming from a packet with a particular source address.

Given enough packets, the use of existing fields in the Internet Protocol (IP) header in addition to its intended use to include information that the recipient can reconfigure the path taken by those packets would allow the recipient to filter the attack packets. It can be removed. However, this method has limited efficiency because it can still be exploited by an attacker to deliver large amounts of false information to the target (recipient).

Thus, the question remains of how to identify a DDoS attack and how to block or reduce its effectiveness when there is an attack. Existing methods for detecting DDoS attacks at any selected point (or points) in the Internet are highly variable over time and are based on parameters that can evolve and disappear as the Internet's technology advances. Therefore, what is needed is a method based on general enough parameters that is invariant to changes in technology and highly likely to detect many DDoS attacks.

Despite the measures to install a DDoS attack detection system in the Internet, most DDoS detection and defense systems operate on the Internet operated by end hosts (recipients, possible targets) who want to protect their networks, systems and devices from such attacks. It is located at the boundary of. Given the nature of flooding packet attacks, defense systems that must have high processing capacity unless the filtering system itself is neutralized rely primarily on packet filtering to defend against the attack.

Currently, competing ISPs have little incentive to upgrade their networks to defend against DDoS attacks, but this can change as legislative pressures around the world apply. Therefore, there is a need for a method that allows the receiver to more intelligently filter received packets and create a motivation to support this process for other connected systems and networks on the Internet.

Accordingly, an object of the present invention is to register a client connected through a network as a normal user group and an abnormal user group, and then the client corresponding to the abnormal user group blocks access in advance, and the gray zone ( The Gray Zone allows users to connect through a simple authentication process, providing a fundamental and fundamental defense to cope with DDoS attacks caused by zombies and to effectively control zombies.

In order to achieve the object of the present invention described above, the defense system for distributed denial of service attacks (DDoS) according to the present invention is classified into three groups including a normal IP, an attacker IP, and an unclassifiable IP. In the defense system of the distributed denial of service attack (DDoS), the first list of the user IP group that can be allowed to access in response to the normal use IP, the second list for the user IP group blocked access corresponding to the attacker IP A connection control server which manages a list and determines whether to connect by extracting a list corresponding to the connected user IP when a client having a predetermined user IP is connected, and the connection control server corresponds to the first and second lists. If a user IP of a non- classifiable client is transmitted, a request for input of an authentication key for distinguishing a normal user is performed. Characterized in that it consists of an authentication server that allows access when the phase input.

In this case, the first list and the second list are database-managed and managed in a database, and the access control server and the authentication server are connected to the database, respectively.

The access control server determines to be a normal user when the user IP of the connected client corresponds to the first list and permits access, and determines to be an abnormal user when the user IP of the connected client corresponds to the second list. If the user IP of the connected client does not correspond to the first and second lists, the access point is determined as a gray zone and transmitted to the authentication server.

On the other hand, the authentication key of the authentication server is characterized in that the graphic puzzle consisting of at least one combination of numbers, random numbers, letters, special symbols.

The authentication server may include the user IP of the client that normally inputs the authentication key in the first list, and include the user IP of the client that does not input the authentication key in the second list. .

The access control server may continuously update user IPs normally connected before a distributed denial of service attack as a first list and abnormal user IPs normally held as a second list.

The access control server is characterized in that the user IP registered in the first list and the second list is automatically removed from each list when a predetermined time has elapsed after applying a timestamp so that access is blocked or allowed for a predetermined time. .

On the other hand, the access control server is characterized in that to display a warning message to the client using a pop-up window when the user IP of the connected client corresponds to the second list.

In addition, if the user IP of the connected client corresponds to the second list, the access control provider presents a treatment method to the client using a web page, and warns the user to click a 'block list release request' button after the treatment. Characterized by the present through.

The authentication server includes a communication unit for exchanging information with a client and a connection control server, a puzzle generation unit for generating the authentication key, a puzzle transmission unit for transmitting the authentication key to a client of a user IP transmitted from the connection control server; The key input determination unit determines whether the key input data and the authentication key match when the key input data is transmitted from the client, and when the key input data input by the client in the key input determination unit matches the authentication key, the key is normal. And a connection control unit for allowing access by judging as a user and blocking access by judging as an abnormal user if key input data is not input.

At this time, the puzzle generation unit, using the information included in the URL of the client to check the support language, characterized in that for generating a graphic puzzle of different languages according to the support language for each client.

On the other hand, the access control server or the authentication server is characterized in that it comprises an update unit for adding the user IP allowed to access from the authentication server to the first list, and adds the user IP blocked the access to the second list. .

According to the defense system of the distributed denial-of-service attack (DDoS), after registering a client connected through the network as a white list as a normal user and a black list as an abnormal user, only the clients corresponding to the black list are blocked in advance. By classifying new access IPs which are clients not registered in each list into gray zones without distinguishing between attackers and normal users, users can be connected through a simple authentication process at the beginning of the connection. Regardless of the pattern of the violent attack, there is an effect that can block the DDoS attack most fundamentally and clearly.

In addition, the present invention can find a client corresponding to a white list or a black list on the basis of behavior through linkage with each server in charge of traffic analysis, access control, and authentication, and consistently with respect to various attack methods. By classifying normal users and zombie PCs through a corresponding authentication system, it is possible to intelligently block or filter abnormal traffic received from a network, even if advanced management skills are not required, and to effectively induce healing.

On the other hand, the present invention by using the information contained in the URL of the target server to check the supported language of the target server to create a graphic puzzle according to the transmission of the program in a foreign country by the individual language authentication for domestic and foreign users It is possible to block or control the access through the source, and to manage foreign language sites operated in Korea separately, thereby minimizing the inconvenience of foreign visitors even during DDoS attacks.

As the invention allows for various changes and numerous embodiments, particular embodiments will be illustrated in the drawings and described in detail in the written description. However, this is not intended to limit the present invention to specific embodiments, it should be understood to include all modifications, equivalents, and substitutes included in the spirit and scope of the present invention. Like reference numerals are used for like elements in describing each drawing.

Unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art. Terms such as those defined in the commonly used dictionaries should be construed as having meanings consistent with the meanings in the context of the related art and shall not be construed in ideal or excessively formal meanings unless expressly defined in this application. Do not.

The present invention can be embodied as computer readable codes on a computer readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like, and are also implemented in the form of a carrier wave (for example, transmission over the Internet). It also includes. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

Hereinafter, with reference to the accompanying drawings, it will be described in detail a preferred embodiment of the present invention.

1 is a block diagram showing the overall configuration of a defense system for distributed denial of service attacks (DDoS) according to an embodiment of the present invention, Figure 2 is a block diagram showing the internal configuration of the authentication server according to an embodiment of the present invention to be.

Referring to FIG. 1, a defense system for a distributed denial of service attack (DDoS) according to an embodiment of the present invention includes a plurality of clients 110, an access control server 200, and an authentication server 300 connected through a network. And a database 400, the application of the present invention is not limited thereto, and may include a server computer that can be accessed on the web, such as a traffic analysis server or a guidance server.

In addition, the defense system for distributed denial of service attacks (DDoS) according to an embodiment of the present invention includes a network 100, the network 100 is a medium used to provide a communication link between various devices and computers And various connection means such as wires, wireless communication links, or fiber optic cables.

Here, the client 110 is a personal computer or a network computer, each of which has a unique user IP and accesses various web pages on the network through the network 100.

The access control server 200 manages a first list 410 for a user IP group that can be allowed to access and a second list 420 for a user IP group that is blocked from access, thereby managing a client having a predetermined user IP ( 110) In the connection, it is determined whether to allow the connection by comparing the user IP and the list of the connected client 110.

That is, if the user IP of the connected client 110 corresponds to the first list 410, the access control server 200 determines that the user is a normal user and permits access, and the user IP of the connected client 110 is deleted. 2, if the user 420 of the connected client 110 does not correspond to the first and second lists 410 and 420, the access is determined to be an abnormal user. The determination is made and notified to the authentication server 300.

To this end, the access control server 200 registers the IPs of users normally connected before a distributed denial of service attack (DDoS) as a white list, selects it as a first list 410, and selects the database 400. ). Then, the IPs of the abnormally held users are normally registered as a black list, the second list 420 is selected and stored in the database 400, and the white list and the black list information are continuously updated. .

In addition, the access control server 200 applies a time stamp to block or allow access for a predetermined time to each of the IPs registered in the first list 410 and the second list 420, and when the predetermined time is exceeded. To be automatically removed from the list.

Therefore, when a client corresponding to the first list 410 is removed from the first list after a certain time, the client corresponding to the first list 410 also periodically tries to access the client through the authentication procedure again. You can check whether you are a normal user.

In addition, if the user IP of the connected client corresponds to the second list 420, the access control server 200 uses a pop-up window such as a warning message to the client, such as "Zombie PC. To display.

Of course, if the user IP of the connected client corresponds to the second list 420, the access control server 200 suggests a healing method to the client by using a web page, and after the treatment, presses the 'block list release request' button. A warning message may be suggested to click.

Meanwhile, the authentication server 300 is for classifying normal users and zombies (that is, attackers), and users of clients who do not correspond to the first and second lists 410 and 420 in the access control server 200. When the IP is delivered, it requests an input of an authentication key for distinguishing a normal user, and allows access only when the authentication key is normally input.

At this time, the authentication server 300, as shown in Figure 2, the communication unit 310 for exchanging information with the client 110, the connection control server 200 and the database 400, and the connection control server ( Graphic puzzle 325 composed of at least one or more combinations of numbers, random numbers, letters, and special symbols to the client of the user IP delivered to the client IP, that is, a puzzle generator 320 for generating an authentication key, and the access control server ( The puzzle transmission unit 330 for transmitting the graphic puzzle 325 to the client of the user IP corresponding to the gray zone transmitted from 200, and the key input data corresponding to the graphic puzzle 325 in the client 110 When it is transmitted through the communication unit 310, the key input determination unit 340 for determining whether the key input data matches the graphic puzzle 325 and the key input data input by the client as a result of the determination by the key input determination unit 340. Wow If the graphic puzzle 325 matches, the access control unit 350 determines that the user is a normal user and permits access.

In the meantime, the access control server 200 or the authentication server 300 adds a user IP allowing access to the first list 410 and adds a user IP which has blocked access to the second list. Update unit 360 for transmitting new information to the.

The database 400 stores a first list 410 for a user IP group corresponding to a white list and a second list 420 for a user IP group corresponding to a black list. New information is continuously added, deleted, or modified through the 200 or the authentication server 300.

The database 400 may provide a plurality of repositories in addition to a repository in which the first and second lists 410 and 420 are stored, and may store various data such as various operations, applications, and user information.

Hereinafter, an operation of the defense system for distributed denial of service attacks (DDoS) according to an embodiment of the present invention will be described.

3 is a flow diagram of a defense system for distributed denial of service attacks (DDoS) in accordance with an embodiment of the present invention.

Referring to FIG. 3, a defense system for a distributed denial of service attack according to an embodiment of the present invention includes a first list 410 corresponding to a white list consisting of user IP groups normally connected before a DDoS attack. A second list 420 corresponding to a black list of user IP groups having zombie PCs infected with DDoS or other malicious programs is stored in the database 400.

At this time, when attempting to access the client 1 111 corresponding to the white list, the access control server 200 inquires the user IP of the client 1 111, and if the user IP corresponds to the first list 410, the client. Allows the connection of 1 (111) (S1, S2, S3).

On the other hand, when the client 2 112 corresponding to the black list attempts to connect, the access control server 200 inquires the user IP of the client 2 112 and the user IP corresponds to the second list 420. Blocking the connection of the client 2 (112), and is estimated to be a zombie PC outputs a warning message requesting to retry the connection after the vaccine treatment in a pop-up window. (S4, S5, S6)

On the other hand, when the client 3 113 attempts to connect, the access control server 200 checks the user IP of the client 3 113 and checks whether the user IP corresponds to the first and second lists 410 and 420. .

As a result, if the user IP of the client 3 113 does not exist in both of the first and second lists 410 and 420, it is determined to be a gray zone, and the user IP of the client 3 113 is sent to the authentication server 300. (S7, S8, S9)

Then, the authentication server 300 generates and transmits a graphic puzzle 325 composed of at least one combination of numbers, letters, special symbols, and random numbers to the user IP of the client 3 113 (S10, 11).

When the key input data inputted after viewing the graphic puzzle 325 is transmitted from the client 3 113, the authentication server 300 determines whether the key input data and the graphic puzzle 325 match, and if the data match, the client 3 ( 113 is allowed to connect (S12, S13, S14, S15).

On the other hand, if the key input data is transmitted but the key input data and the graphic puzzle 325 does not match, the authentication server 300 undergoes a re-authentication procedure. If the key input data is not transmitted from the client 3 113, the abnormal user ( Zombie PC), and disconnects client 3 113 (S16, S17, S18).

In addition, the authentication server 300 adds the user IP of the client 3 113 allowed to access through its update unit 360 or the access control server 200 to the first list 410, or access is established. The user IP of the blocked client 3 113 is added to the second list 420.

On the other hand, if the client 110 registered in the second list 420 removes a malicious program existing in its computer and attempts to access, the blacklist is blocked by clicking the 'Block List Release Request' button on the guide page. When requesting the release, it checks whether the corresponding IP is a normal user, excludes it from the second list 420 that is a black list, and then transfers the authentication server 300.

In the above, an embodiment for implementing a function corresponding to a distributed denial of service attack (DDoS) has been described. However, the defense system of the distributed denial of service attack (DDoS) of the present invention is not limited to being performed in a DDoS attack. It can also be applied to Trojan horses and other types of harmful programs designed to disrupt normal operation of data processing systems or networks.

Although described with reference to the above embodiments, those skilled in the art will understand that various modifications and changes can be made without departing from the spirit and scope of the invention as set forth in the claims below. Could be.

The present invention relates to a defense system for Distributed Denial of Service (DDoS), and in particular, after registering a client connected through a network as a white list as a normal user and a black list as an abnormal user, only a client corresponding to the black list is previously connected. Blocks and allows clients not registered in each list to be authenticated using a gray zone to respond to DDoS attacks, and in addition, abnormal traffic infected with malicious programs that interfere with the normal operation of the system or network. Can be intelligently blocked or filtered and induces effective healing.

1 is a block diagram showing the overall configuration of a defense system for distributed denial of service attacks (DDoS) according to an embodiment of the present invention,

2 is a block diagram showing an internal configuration of an authentication server according to an embodiment of the present invention;

 3 is a flow diagram of a defense system for distributed denial of service attacks (DDoS) in accordance with an embodiment of the present invention.

*** Explanation of symbols for main parts of drawing ***

100: network 110: client

200: access control server 300: authentication server

310: communication unit 320: puzzle generation unit

325: graphic puzzle 330: puzzle transmission unit

340: key input determination unit 350: connection control unit

360: update unit 400: database

410, 420: first and second list

Claims (12)

In a defense system of a distributed denial of service attack (DDoS), the access IP is classified into three groups including a normal use IP, an attacker IP, and an unclassifiable IP. Managing a first list of user IP groups that are allowed to access in response to the normal use IP, and a second list of user IP groups that are blocked from access in response to the attacker IP, and accessing a client having a predetermined user IP. An access control server extracting a list corresponding to the connected user IP and determining whether to access the same; If the user IP of a non-classifiable client that does not correspond to the first and second list is delivered from the access control server, request input of an authentication key for distinguishing a normal user, and allow access when the authentication key is normally input. Distributed Denial of Service (DDoS) defense system, characterized in that consisting of an authentication server. The method of claim 1, And the first list and the second list are database-managed and managed in a database, and the access control server and the authentication server are connected to the database, respectively. The method of claim 1, The access control server determines to be a normal user when the user IP of the connected client corresponds to the first list and permits access, and determines to be an abnormal user when the user IP of the connected client corresponds to the second list. If the user IP of the connected client does not correspond to the first and second list, it is determined as a gray zone and forwarded to the authentication server, characterized in that the defense system for distributed denial of service attacks (DDoS). The method of claim 1, The authentication key of the authentication server is a defense system for distributed denial of service (DDoS), characterized in that the graphic puzzle consisting of a combination of at least one of numbers, random numbers, letters, special symbols. The method of claim 1, The authentication server is configured to include the user IP of the client that normally enters the authentication key in the first list, and to include the user IP of the client that does not enter the authentication key in the second list. Defensive attack (DDoS) defense system. The method of claim 1, The access control server performs a distributed denial of service attack characterized by continuously updating user IPs normally connected before a distributed denial of service attack (DDoS) as a first list, and using abnormally held user IPs as a second list. DDoS) defense system. The method of claim 1, The access control server is configured to automatically remove the user IP registered in the first list and the second list from each list when a predetermined time elapses after applying a time stamp to block or allow access for a predetermined time. Defense against Distributed Denial of Service Attacks (DDoS). The method of claim 1, The access control server defense system for a distributed denial of service attack (DDoS), characterized in that to display a warning message to the client using a pop-up window if the user IP of the connected client corresponds to the second list. The method of claim 1, If the user IP of the connected client corresponds to the second list, the access control provider presents a treatment method to the client by using a web page, and warns the user to click a 'block list release request' button after the treatment. Distributed defense denial of service (DDoS) defense system characterized in that. The method of claim 1, The authentication server, A communication unit for exchanging information with a client and a connection control server, Puzzle generation unit for generating the authentication key, Puzzle transmission unit for transmitting the authentication key to the client of the user IP delivered from the access control server, A key input determination unit determining whether the key input data and the authentication key match when the key input data is transmitted from the client through the communication unit; And a connection control unit for allowing access by determining that the user is a normal user when the key input data input by the client and the authentication key match with each other, and determining that the user is an abnormal user when the key input data is not input. Distributed Denial of Service Attack (DDoS) defense system, characterized in that. The method of claim 10, The puzzle generation unit checks a supported language using information included in the URL of the client, and generates a graphic puzzle of a different language according to the supported language for each client. Defense system. The method of claim 1, The access control server or the authentication server includes an update unit for adding a user IP allowed to access from the authentication server to the first list and adding the user IP blocked from access to the second list. Defensive attack (DDoS) defense system.

Images